How to hide password and username from url

Question

if (jsonresponse == 'SESSION_ALREADY_LOGGED_IN' || jsonresponse == 'USER_ALREADY_LOGGED_IN'){   
    window.location.replace("${pageContext.request.contextPath}/TrialUser.jsp?rsUsername=" + 
    getURLParameter("rsUsername") + "&rsPassword" + getURLParameter("rsPassword") + "&rsUse=" + 
    getURLParameter("rsUse") +"&HOOK_URL=" + getURLParameter("HOOK_URL"));
} 

Answer 1

Simple is to Encrypt it and send it in the "Authentication" in the Request header, you can use a simple http base with username/password in Base64, or make it more complicated using Bearer and JWT (JSON Web Token) with a token, hash and at least 256-bit.

If you are considering using MD5 then you should know it was cracked in 1991 and is not secure in over 25 years.

Answer 2

It seems like the overall architecture design should change regarding the log in functionality. Might be a good idea to rethink how you'd like to implement the process.

Also, why sending username/password as GET parameters? GET-requests is also usually logged in various webservers/application servers, which poses a security risk. Uses POST for this whilst performing login sequences.

If GET should be used, look into other solutions regarding identification possibilities.

Answer 3

Why are you sending the username and password on get request, it should be on post request always.

In case if you have to do it at least encrypt your password or user details through javascript before sending it

window.location.href = "index.php?Id=" + encrypt(5)+ "&No=" +encrypt( 5);

I strongly recement don't do it